According to some of the top cybersecurity researchers, like Symantec, Kaspersky Lab and Google, there seems to be some technical evidence that the WannaCry malware attack that is infecting and wrecking havoc on more than 300,000 computers in over 150 countries, has a connection to the North Korean-run hacking operation known as the Lazarus Group.
The Lazarus Group, which has widely been regarded as a Korean nation-state hacking group, that has been blamed for a recent string of bank heists and well as the 2014 Sony hack.
First Links To Suspicion
Speculation of a possible North Korea connection went live today after Google researcher Neel Mehta posted a cryptic tweet showing similar code elements of the two pieces of malware, with the hashtag #WannaCryptAttribution, and researcher Matthiu Suiche then tweeted a screenshot of the two code families, saying, "Similitude between #WannaCry and Contopee from Lazarus Group ! thx @neelmehta - Is DPRK behind #WannaCry ?"
After the intriguing tweets, Kaspersky Lab late today posted a blog outlining the similarities between the WannaCry and Lazarus Group code. They confirmed that the February ransomware variant is a precursor to the WannaCry attacks this month. "It shares the same the list file extension targets for encryption but, in the May 2017 versions, more extensions were added," they wrote.
"Neel Mehta's discovery is the most significant clue to date regarding the origins of Wannacry," Kaspersky researchers wrote. But they say more research is necessary to more definitively connect any dots.
The Link? Shared Computer Code
Apparently, a variant of WannaCry found in February shared some computer code with a hacking tool the Lazarus group used in 2015.
“For now, more research is required into older versions of Wannacry,” Kaspersky Lab said in a blog post. “We believe this might hold the key to solve some of the mysteries around this attack.”
On Monday, security firm Symantec also reported finding clues that may link WannaCry with the shadowy group. It’s found earlier versions of the ransomware on machines that have been compromised by hacking tools used by Lazarus, according to Vikram Thakur, technical director at the company.
“Shortly after these tools were found on these machines, we could see WannaCry files showing up,” he said.
Still Just Suspicions, No Smoking Gun...Yet.Some experts also report that the evidence is very circumstantial. And that it's not uncommon for tools used in other hacks or often leaked on the internet so anyone interested could also use the shared code.
[caption id="attachment_2642" align="alignnone" width="720"] A screenshot shows a WannaCry ransomware demand, provided by cyber security firm Symantec, in Mountain View, California, U.S. May 15, 2017. Courtesy of Symantec/Handout via REUTERS ATTENTION EDITORS - THIS IMAGE WAS PROVIDED BY A THIRD PARTY. EDITORIAL USE ONLY. NO RESALES. NO ARCHIVE.?[/caption]
Hackers do reuse code from other operations, so even copied lines fall well short of proof.
U.S. and European security officials told Reuters on condition of anonymity that it was too early to say who might be behind the attacks, but they did not rule out North Korea as a suspect.
FireEye Inc (FEYE.O), another large cyber security firm, said it was also investigating a possible link.
“The similarities we see between malware linked to that group and WannaCry are not unique enough to be strongly suggestive of a common operator,” FireEye researcher John Miller said.
Looks like we have to wait and see if the evidence the cybersecurity researchers come up with can say definitively whether or not who was the real culprit in these attacks. You can, however, rest assured knowing that some of the best and brightest are on the case and will get to the bottom of this.
View our CyberSecurity section for more stories like this and other cybersecurity news.